Efficient Ratcheting: Almost-Optimal Guarantees for Secure Messaging

“…Subsequent to these strongly secure ratcheting notions, multiple weaker formal definitions for ratcheting were proposed that consider special properties such as strong explicit authentication [8], out of order receipt of ciphertexts [1], or primarily target on allowing efficient instantiations [12,4]. Table 1: Differences in security notions of ratcheting regarding (a) uni-(→), sesqui-( →), and bidirectional (↔) interaction between A and B, (b) when the adversary is allowed to expose A's and B's state (or when this is unnecessarily restricted), (c) the adversary's ability to reveal or manipulate algorithm invocations' random coins, and (d) how soon and how complete recovery from these two attacks into a secure state is required of secure constructions (or if unnecessary delays or exceptions for recovery are permitted).…”

“…Table 1: Differences in security notions of ratcheting regarding (a) uni-(→), sesqui-( →), and bidirectional (↔) interaction between A and B, (b) when the adversary is allowed to expose A's and B's state (or when this is unnecessarily restricted), (c) the adversary's ability to reveal or manipulate algorithm invocations' random coins, and (d) how soon and how complete recovery from these two attacks into a secure state is required of secure constructions (or if unnecessary delays or exceptions for recovery are permitted). 1 Recovery from attacks required by Jost et al [12] is immediate in so far as their restrictions of state exposures introduce delays implicitly. Gray marked cells indicate the reason (i.e., relaxations in security) why respective instantiations can rely on standard PKC only (circumventing our implication result).…”

“…Furthermore, both works neglect bad randomness as an attack vector. In the security experiments by Jost et al [12] and Alwen et al [1] constructions can delay the recovery from attacks longer than necessary (Jost et al therefore temporarily forbid the exposure of the local state). Additionally, they do not require the participants' states to become incompatible (immediately) on active attacks against the communication.…”

“…Interestingly, both mentioned unidirectional RKE instantiations that were defined to depict optimal security [3,17] as well as bidirectional real-world examples such as the Signal protocol (analyzed in [6]), and instantiations of the above named relaxed security notions [8,12,1,4] only rely on standard PKC (cf. rows in Table 1 with gray cells).…”

“…We emphasize a significant difference between key-updatable public key encryption and HkuPke (introduced in [12]): in HkuPke key updates rely on interactive communication between holders of public key and secret key, and associated data for key updates is not fully adversary-controlled. These differences make it strictly weaker, insufficient for optimal security of RKE (on which we further elaborate in Section 3).…”

Determining the Core Primitive for Optimally Secure Ratcheting

“…Subsequent to these strongly secure ratcheting notions, multiple weaker formal definitions for ratcheting were proposed that consider special properties such as strong explicit authentication [8], out of order receipt of ciphertexts [1], or primarily target on allowing efficient instantiations [12,4]. Table 1: Differences in security notions of ratcheting regarding (a) uni-(→), sesqui-( →), and bidirectional (↔) interaction between A and B, (b) when the adversary is allowed to expose A's and B's state (or when this is unnecessarily restricted), (c) the adversary's ability to reveal or manipulate algorithm invocations' random coins, and (d) how soon and how complete recovery from these two attacks into a secure state is required of secure constructions (or if unnecessary delays or exceptions for recovery are permitted).…”

“…Table 1: Differences in security notions of ratcheting regarding (a) uni-(→), sesqui-( →), and bidirectional (↔) interaction between A and B, (b) when the adversary is allowed to expose A's and B's state (or when this is unnecessarily restricted), (c) the adversary's ability to reveal or manipulate algorithm invocations' random coins, and (d) how soon and how complete recovery from these two attacks into a secure state is required of secure constructions (or if unnecessary delays or exceptions for recovery are permitted). 1 Recovery from attacks required by Jost et al [12] is immediate in so far as their restrictions of state exposures introduce delays implicitly. Gray marked cells indicate the reason (i.e., relaxations in security) why respective instantiations can rely on standard PKC only (circumventing our implication result).…”

“…Furthermore, both works neglect bad randomness as an attack vector. In the security experiments by Jost et al [12] and Alwen et al [1] constructions can delay the recovery from attacks longer than necessary (Jost et al therefore temporarily forbid the exposure of the local state). Additionally, they do not require the participants' states to become incompatible (immediately) on active attacks against the communication.…”

“…Interestingly, both mentioned unidirectional RKE instantiations that were defined to depict optimal security [3,17] as well as bidirectional real-world examples such as the Signal protocol (analyzed in [6]), and instantiations of the above named relaxed security notions [8,12,1,4] only rely on standard PKC (cf. rows in Table 1 with gray cells).…”

“…We emphasize a significant difference between key-updatable public key encryption and HkuPke (introduced in [12]): in HkuPke key updates rely on interactive communication between holders of public key and secret key, and associated data for key updates is not fully adversary-controlled. These differences make it strictly weaker, insufficient for optimal security of RKE (on which we further elaborate in Section 3).…”

Determining the Core Primitive for Optimally Secure Ratcheting

The Double Ratchet: Security Notions, Proofs, and Modularization for the Signal Protocol

Bidirectional Asynchronous Ratcheted Key Agreement with Linear Complexity